06 May

What Plugin Vulnerabilities Was Up to in April

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet).

Paid customers of the service can suggest and vote on plugins to have a security review done by us (you can also order a review separately). This month we released details of our review of Shareaholic.

During the month we added data on 61 vulnerabilities. Many of those vulnerabilities were ones that we discovered (26 of them) or ones where no report was put out on the vulnerability and we determined the details from other information we ran across (another 30 of them).  By comparison other data sources had less vulnerabilities than either of those categories alone, as the WPScan Vulnerability Database only added 16 vulnerabilities and ThreatPress only added 15. ThreatPress seems to almost entirely copy data from the WPScan Vulnerability Database and WPScan Vulnerability Database intentionally doesn’t include a lot of vulnerabilities for a reason that doesn’t make sense to us (and probably one that wouldn’t make sense to you either).

As of the end of the month, 10 of the vulnerabilities we had added to the data set still had yet to be fixed.

We added vulnerabilities in the following plugins to our data set during the month:

  • 404page and Julio Potier
  • A2 Optimized WP
  • Apply Online
  • ARI Adminer
  • Battle Suit for Divi
  • Better Robots.txt – Index, rank & SEO booster + Woocommerce
  • BIALTY – Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce
  • Blog Designer
  • CheetahO Image Optimizer
  • Contact Form Builder
  • Download Manager (WordPress Download Manager)
  • Email Subscribers & Newsletters
  • Feedburner Alternative and RSS Redirect Plugin (RSS Redirect & Feedburner Alternative)
  • Form Maker
  • Gallery PhotoBlocks
  • Groundhogg
  • hashtagger
  • Justified Gallery
  • LeaderBoard LITE (LeaderBoard Plugin)
  • Link Log
  • LittleBot ACH for Stripe + Plaid
  • Login No Captcha reCAPTCHA
  • MaxGalleria
  • Mobile Blocks
  • Mobile Booster
  • My Instagram Feed
  • Notification
  • Pctags – Pinterest Conversion Tags
  • Pinblocks — Gutenberg blocks with Pinterest widgets
  • PollDeep
  • Print My Blog
  • Related Posts
  • Resize Image After Upload
  • RSVPMaker
  • Server Info
  • Simple Feature Requests
  • smart Archive Page Remove
  • smart User Slug Hider
  • Social Login, Social Sharing by miniOrange (WordPress Social Login (Facebook, Google, Twitter))
  • SupportCandy
  • Ultimate Member
  • VO Store Locator
  • Windsor Strava Athlete
  • WooCommerce Checkout Manager
  • WooCommerce Cross-Seller
  • WooCommerce Invoices & Packing Slips Plugin (PDF Invoices & Packing Slips For
  • WooCommerce)
  • WooCommerce Order Export and More (WooCommerce Export Orders and More)
  • WooCommerce PayPlug
  • WP Buddha Free Adwords Plugin (Free Adwords Campaigner)
  • WP Database Backup
  • WP Google Maps
  • WP Inventory Manager
  • Yellow Pencial (Visual CSS Style Editor)
  • Zielke Specialized Catalog

We discovered and disclosed vulnerabilities in the following of those plugins during the month:

  • 404page
  • Apply Online
  • Blog Designer
  • Email Subscribers & Newsletters
  • Groundhogg
  • hashtagger
  • LeaderBoard LITE (LeaderBoard Plugin)
  • Link Log
  • PollDeep
  • smart Archive Page Remove
  • smart User Slug Hider
  • Social Login, Social Sharing by miniOrange (WordPress Social Login (Facebook,
  • Google, Twitter))
  • SupportCandy
  • WooCommerce Checkout Manager
  • WP Buddha Free Adwords Plugin (Free Adwords Campaigner)
  • WP Database Backup
  • WP Google Maps
  • WP Inventory Manager
  • Yellow Pencil (Visual CSS Style Editor)
  • Zielke Specialized Catalog

Other vulnerabilities we added were discovered by Georg Knabl, Magnus Klaaborg Stubman, Panagiotis Vagenas, and ThuraMoeMyint.

During the month we helped to get vulnerabilities in the following plugins with over 489,080 installs fixed:

  • Child Themes Helper
  • Download Manager (WordPress Download Manager)
  • Groundhogg
  • hashtagger
  • LeaderBoard LITE (LeaderBoard Plugin)
  • Option Tree
  • smart Archive Page Remove
  • Social Login, Social Sharing by miniOrange (WordPress Social Login (Facebook, Google, Twitter))
  • SupportCandy
  • WooCommerce Checkout Manager
  • WP Database Backup
  • WP Inventory Manager
  • WP Security Audit Log
  • Yellow Pencil (Visual CSS Style Editor)

Leave a Reply

Your email address will not be published. Required fields are marked *